H12-841_V1.5 HCIP-Datacom-Campus Network Planning and Deployment V1.5 Question and Answers

In a virtualized campus network managed byiMaster NCE-Campus, traffic control between users or user groups is implemented throughsecurity groupsand apolicy control matrix. The configuration shown clearly reflects this mechanism.

The ACL usesucl-group names, such asResearch_Group,Sales_Group, andGuest_Group. These ucl-groups correspond tosecurity groupsdefined on iMaster NCE-Campus. The ACL rules explicitly permit IP traffic from one security group to other security groups. This type of ACL is automatically generated and delivered by the controller when apolicy control matrixis deployed.

A policy control matrix defineswho can access whomby specifying allow or deny relationships between security groups. Once the matrix is configured on iMaster NCE-Campus, the controller translates these logical policies into device-level ACLs and applies them to the appropriate enforcement points in the VXLAN fabric. The presence of multiple rules permitting traffic from one group to multiple destination groups is a typical outcome of deploying such a matrix.

Creating a security group alone would not generate ACL rules. Deploying inter-VN communication would involve route exchange or gateway configuration, not ucl-group–based ACLs. Creating an authorization result would associate users with security groups but would not generate inter-group ACL rules.

Therefore, the administrator operation that resulted in this configuration wasdeploying a policy control matrix, making optionAthe correct answer.

1 →dh group1

2 →main

3 →esp

4 →tunnel

In the IKE proposal, the Diffie-Hellman group defines the key exchange strength used during IKE Phase 1 negotiation, which is whydh group1corresponds to position 1 under the IKE proposal configuration. Theexchange-mode mainsetting is part of IKEv1 Phase 1 and therefore correctly matches position 2 under the IKE peer configuration.

For the IPsec proposal, thetransformspecifies the protocol used to protect data traffic; since ESP is explicitly required,espcorrectly maps to position 3. Finally, theencapsulation-mode tunneldefines how packets are encapsulated in IPsec VPNs between gateways, makingtunnelthe correct match for position 4.

This mapping strictly follows HCIP Datacom Campus Network IPsec and IKE configuration logic and aligns with standard Huawei VRP command behavior.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

Super VLAN is a Huawei campus network technology designed to solve broadcast domain and user isolation issues in large Layer 2 networks. It allows multiplesub-VLANsto be associated with a singleSuper VLAN, where the Super VLAN provides Layer 3 gateway services, and sub-VLANs remain Layer 2 isolated from each other. Users within different sub-VLANs cannot communicate directly at Layer 2, which effectively isolates users even though they share the same logical gateway.

This architecture significantly enhances user communication security by preventing direct Layer 2 attacks such as ARP spoofing or broadcast storms between users. In addition, broadcast packets generated within one sub-VLAN are confined to that sub-VLAN and do not propagate to others, preventing invalid or excessive broadcast traffic from impacting overall service quality.

Port isolation only isolates ports but does not provide centralized Layer 3 gateway management. IPSG focuses on IP address legitimacy enforcement rather than user isolation. Ethernet port security restricts MAC address access but does not control broadcast propagation or inter-user isolation across VLANs.

According to HCIP Datacom Campus Network design guidelines, Super VLAN is the correct technology for isolating users in the same VLAN scope while reducing broadcast impact and improving security, making option A correct.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In astatic VXLAN tunneldeployment, MAC address learning relies ondata-plane trafficrather than a control-plane protocol. Unlike BGP EVPN-based VXLAN, where MAC and IP information is distributed through BGP, static VXLAN does not have a centralized or dynamic control mechanism to advertise host information.

As a result, VTEPs learn remote MAC addresses by inspectingencapsulated traffic, such as ARP request and reply packets, exchanged between hosts in the same VXLAN segment. When a host sends an ARP request, the local VTEP encapsulates the frame into a VXLAN packet and forwards it to the remote VTEP. Upon receiving the packet, the remote VTEP extracts the source MAC address and associates it with the corresponding VNI and tunnel endpoint.

This data-plane learning mechanism means that MAC address entries are built dynamically as traffic flows, which is why initial host communication may require broadcast or unknown unicast flooding. According to HCIP Datacom Campus Network documentation, this behavior is a defining characteristic of static VXLAN deployments.

Therefore, the statement isTRUE, and optionAis correct.

WLAN planning and design aim to minimize co-channel and adjacent-channel interference while maximizing spectrum utilization and user experience. According to HCIP Datacom Campus Network WLAN design principles, proper channel planning is a core task, especially in environments with high user density.

On the2.4 GHz frequency band, only three non-overlapping channels—1, 6, and 11—are traditionally recommended. These channels do not overlap in frequency, which helps reduce interference between adjacent APs. Inhigh-density scenarios, to further improve spectrum utilization,channels 1, 5, 9, and 13can be used. This approach shortens the channel spacing but is acceptable when transmit power is well controlled and AP placement is carefully planned, enabling higher AP density while keeping interference manageable.

On the5 GHz frequency band, there are more available channels and less interference compared to 2.4 GHz. HCIP Datacom documentation recommendsstaggering high-frequency and low-frequency channels between adjacent APs. This staggered channel allocation reduces the likelihood of co-channel interference and improves overall throughput and roaming performance, especially in large or high-density campus deployments.

These channel planning strategies are standard WLAN design best practices supported by Huawei and are widely applied in enterprise campus networks. Therefore, the statement accurately reflects recommended WLAN planning principles and isTRUE.

In iMaster NCE-Campus–based virtualized campus networks,user network segmentsare logical subnets created within aVirtual Network (VN)to provide Layer 2 or Layer 3 connectivity for users. HCIP Datacom Campus Network documentation describes multiple flexible methods for creating these network segments during VN deployment, allowing administrators to balance efficiency and control.

Administrators canmanually create user network segments one by one, which is suitable for small-scale deployments or scenarios requiring precise customization of subnet parameters such as gateway address, VLAN, and IP pool. This method provides maximum control but is less efficient for large networks.

For medium- or large-scale deployments,batch import using templatesis widely supported and recommended. Templates allow administrators to define network segment parameters in advance and import multiple segments at once, significantly improving deployment efficiency and reducing configuration errors.

Another supported method isautomatic batch allocation, where iMaster NCE-Campus automatically allocates VNIs, VLANs, and IP resources from predefined resource pools. This method is commonly used in VXLAN Fabric deployments and enables fast, standardized VN provisioning with minimal manual input.

However,directly invoking user network segments from the global fabric resource poolis not supported during VN creation. The global resource pool is used for automatic allocation reference but does not allow direct binding of pre-created segments to a VN.

Therefore, the valid methods aremanual creation,template-based batch import, andautomatic batch allocation, making optionsA, B, and Dcorrect.

In the Huawei CloudCampus Solution for small- and medium-sized campus networks,AR series routersare commonly deployed asegress gatewaysto provide Internet access, WAN connectivity, and centralized management integration. According to HCIP Datacom Campus Network documentation, AR devices supportmultiple deployment and management modes, ensuring flexibility during initial deployment and ongoing operations.

It is correct that an AR functioning as an egress gateway supportsweb-based network management, which allows administrators to perform basic configuration through a graphical interface. AR devices also supportregistration center query, enabling zero-touch provisioning by automatically discovering and registering with iMaster NCE-Campus. In addition,DHCP Option 148-based deploymentis supported, allowing the AR to obtain controller address information dynamically and establish a management connection.

However, the statement becomes incorrect when it claims thatCLI-based deployment is not supported. In fact, AR routers fully supportCLI-based configuration and deployment, which remains a fundamental management method in Huawei network devices. CLI access is widely used for initial configuration, troubleshooting, advanced feature configuration, and scenarios where automated or graphical tools are not available.

HCIP Datacom documentation emphasizes that CloudCampus deployment modes areadditive, not mutually exclusive. Web-based management, registration center onboarding, DHCP Option 148, and CLI can all coexist, giving administrators flexibility to choose the most suitable method based on deployment conditions.

Therefore, since AR devicesdo support CLI-based deployment, the statement is incorrect, and the correct answer isFALSE.

In BGP EVPN-based VXLAN networks, route advertisement follows clearly defined standards regarding how endpoint and tunnel information is carried. According to HCIP Datacom Campus Network documentation,BGP EVPN does not use an EVPN Router MAC Extended Community to advertise the Router MAC of a VTEP. This statement is therefore incorrect.

In EVPN, different route types serve specific purposes. For example,EVPN Route Type 2 (MAC/IP Advertisement routes)are used to advertise MAC addresses (and optionally IP addresses) of endpoints. These routes associate endpoint information with a VTEP by using theBGP next-hop attribute, which contains the VTEP IP address. Similarly,EVPN Route Type 3 (Inclusive Multicast Ethernet Tag routes)also relies on the BGP next hop to identify the VTEP for VXLAN tunnel establishment and BUM traffic forwarding.

The Router MAC of a VTEP is alocal forwarding attribute, primarily used during VXLAN encapsulation and decapsulation on the device itself. It is not distributed through EVPN extended communities. While EVPN does define several extended communities for control and policy purposes, there is no standard or HCIP-defined “EVPN Router MAC Extended Community” used to carry the Router MAC field of a VTEP during route advertisement.

Therefore, based on HCIP Datacom Campus Network VXLAN EVPN principles, the statement is false.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

NQA on Huawei devices is designed to actively measure network performance by simulating service traffic and monitoring protocol behavior. It supports commonconnectivity and routing-related protocolsto detect delay, jitter, packet loss, and reachability.

NQA supportsICMP, which is widely used to test network connectivity and latency, makingoption D correct. It also supportsrouting protocol detection, including OSPF, enabling administrators to monitor routing convergence and path availability, validatingoption A.

DHCP and SNMP are management and configuration protocols rather than traffic or routing performance protocols. NQA does not actively simulate or monitor DHCP address allocation behavior or SNMP management communication, makingoptions B and C incorrect.

Thus, NQA focuses on traffic forwarding and routing health rather than control-plane management protocols.

In the Huawei free mobility solution based on iMaster NCE-Campus,IP-security groupsare used to associate user identities with IP addresses so that consistent security policies can be enforced regardless of user location. Apolicy enforcement point (PEP)must obtain IP-security group entries to correctly match traffic against security policies.

When the policy enforcement pointis not an authentication point, it cannot directly learn user identity information during access authentication. In this scenario, one supported method is to configureIP-security group entry subscriptionon iMaster NCE-Campus. After subscription is configured, iMaster NCE-Campus pushes the corresponding IP-security group entries to the policy enforcement point, which matches option A.

Another valid approach in this case is described in option B. If the authentication point and policy enforcement point are separate devices, theauthentication point can push IP-security group entriesto the policy enforcement point after successful user authentication. This ensures that enforcement devices receive real-time identity information.

If the policy enforcement pointalso functions as an authentication point, it can directly interact with iMaster NCE-Campus. In this scenario, iMaster NCE-Campusproactively pushes IP-security group entriesto the device, as stated in option C.

Option D is incorrect because iMaster NCE-Campus does not push IP-security group entries indiscriminately in all scenarios. The distribution mechanism depends on the role of the device and whether subscription or authentication-based pushing is configured.

Therefore, the correct answers are A, B, and C.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In Huawei campus access authentication designs, network access is divided intopre-authentication,isolation, andpost-authenticationdomains to control user access at different stages of authentication.

Thepre-authentication domainprovides users with only the most basic network services required to initiate authentication. These services typically includeDHCPandDNS. DHCP allows unauthenticated terminals to obtain IP addresses and basic network parameters, while DNS enables domain name resolution so that users can reach authentication portals or admission servers. Therefore,DHCP and DNS servers are essential components of the pre-authentication domain, making optionsC and D correct.

AnFTP serveris a general-purpose file transfer service and is not required for user authentication. Anantivirus serverbelongs to theisolation domain, where users are redirected if authentication fails or if their devices do not meet security posture requirements, such as outdated virus signatures. These servers provide remediation resources but are not part of the pre-authentication process.

According to HCIP Datacom Campus Network documentation, limiting the pre-authentication domain to only essential services reduces security risks while ensuring successful user onboarding.

In iMaster NCE-Campus, device management functions are tightly integrated with secure remote access mechanisms to ensure safe and efficient O&M operations. One such mechanism is theSSH proxy tunnel, which allows administrators to remotely access managed devices through the controller without directly exposing device management interfaces to the external network.

According to HCIP Datacom Campus Network documentation, theSSH proxy tunnel is automatically established when the Command Line function is usedon the Device Management page. When an administrator clicks theCommand Lineoption, iMaster NCE-Campus dynamically builds a secure SSH proxy channel between the controller and the target device. This enables real-time CLI access to the device through the web interface while maintaining strict security controls.

Other functions such asSummary,Entry Query, andDevice Configurationdo not require direct CLI interaction with the device. These functions rely on management protocols and configuration delivery mechanisms such as NETCONF or telemetry, and therefore do not trigger the establishment of an SSH proxy tunnel.

The Command Line function is specifically designed for scenarios such as advanced troubleshooting, manual verification, or executing device-level commands. Automatically enabling the SSH proxy tunnel at this moment ensures that CLI access is bothsecure and on-demand, reducing attack surfaces and simplifying remote maintenance.

Therefore, the function that automatically enables the SSH proxy tunnel isCommand Line, making optionDthe correct answer.

In campus network design, theegressis a critical point that connects the internal campus network to external networks such as the Internet or WAN. According to HCIP Datacom Campus Network architecture guidelines, ensuringhigh reliability at the egressis essential, even for small- and medium-sized campus networks, because external connectivity directly affects business continuity.

Deployingmulti-carrier linksat the egress is a recommended design practice to enhance reliability. Multi-carrier links refer to connecting the campus network todifferent service providersor independent external links. If one carrier experiences a failure, congestion, or maintenance issue, traffic can be switched to the backup carrier, ensuring uninterrupted external access. This approach significantly reduces the risk of service disruption caused by single-link or single-carrier failures.

For small- and medium-sized campuses, full redundancy with complex architectures may not be cost-effective. Multi-carrier backup links provide acost-efficient and practical solutionthat balances reliability and investment. Technologies such as static route backup, dynamic routing protocols, or policy-based routing can be used to implement automatic failover at the egress.

HCIP Datacom documentation emphasizes that egress reliability is not only a concern for large networks. Even smaller campuses require stable Internet and WAN access for cloud services, remote access, and centralized management platforms. Therefore, deploying multi-carrier links as backup at the egress is a valid and recommended design strategy.

Hence, the statement isTRUE.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

To deploy802.1X authenticationon Huawei campus switches and use aRADIUS serverfor user authentication and authorization, several core configuration components are mandatory. All four options listed are required for a complete and functional deployment.

Anauthentication domainis mandatory because it defines where user authentication requests are processed and which AAA schemes are used. Without a domain, the switch cannot determine how to handle authentication requests, makingoption A mandatory.

Anauthentication profileis also required. This profile binds authentication methods (such as 802.1X), authentication domains, and access policies together. Interfaces reference the authentication profile to determine how users are authenticated, sooption B is mandatory.

An802.1X access profiledefines detailed 802.1X parameters, such as authentication mode, reauthentication behavior, and client handling. This profile is bound to interfaces to enable 802.1X authentication on specific ports, makingoption C mandatory.

Finally, anAAA schemeis essential because it defines the authentication, authorization, and accounting methods used by the device, including RADIUS server configuration. Without an AAA scheme, the device cannot communicate with the RADIUS server or obtain user authorization information. Therefore,option D is mandatory.

According to HCIP Datacom Campus Network documentation, all four configuration steps are required to successfully enable 802.1X authentication with RADIUS-based access control.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

Telemetry is a next-generation network data collection technology designed to overcome the limitations of traditional SNMP polling. One of its major advantages is that it ismodel-driven, relying onYANG modelsto define structured and extensible data formats. This allows Telemetry to support various data types and provides stronger semantic meaning than SNMP MIBs, makingoption A correct.

Another key advantage ishigh-frequency data collection. Telemetry supportssecond-level or even sub-second-level reporting, enabling more precise and real-time network monitoring. This capability is critical for intelligent O&M scenarios such as fault prediction, traffic analysis, and SLA assurance. SNMP, by contrast, typically relies on periodic polling with much lower precision. Therefore,option D is correct.

Telemetry does not establish sessions based on SSH. Instead, it typically uses protocols such asgRPCover secure transport channels like TLS. Hence,option B is incorrect.

Option C is also incorrect because Telemetry focuses ondata subscription and reporting, not on configuring or managing device databases. Configuration management remains the responsibility of controllers or network management systems, not the Telemetry mechanism itself.

According to HCIP Datacom Campus Network documentation, Telemetry’s strengths lie in model-driven data representation and high-precision, real-time monitoring, making A and D the correct answers.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In iMaster NCE-Campus–based virtualized campus networks, thesiteis a fundamental management object used to organize and manage network resources. A site typically represents aphysical location or logical network scope, such as a campus, building, or branch, under a tenant. Tenants manage devices, configurations, and servicesby site, which makes statementB correct.

iMaster NCE-Campus allows administrators tocreate sites individually, enabling flexible deployment and incremental network construction. Therefore,statement C is correct. In addition, a site is created and owned by atenant administratorto represent the tenant’s network scope, makingstatement D correct.

StatementA is false. iMaster NCE-Campusdoes support batch site creation, which is commonly used in large-scale or MSP scenarios where many tenant sites or branch sites need to be deployed efficiently. Batch creation significantly reduces manual workload and improves deployment efficiency.

According to HCIP Datacom Campus Network documentation, site management supports bothsingle-site creation and batch site creation, enabling scalable and centralized O&M. Therefore, the statement claiming that batch site creation is not supported is incorrect.

iMaster NCE-Campus classifies network alarms into different severity levels to help administrators quickly understand the health status of the campus network and take appropriate actions. According to HCIP Datacom Campus Network documentation, alarms are typically categorized intocritical,major,warning, andinformationallevels, each represented by a distinct icon and color in the management interface.

In the displayed alarm summary, four types of icons are shown with corresponding numbers. Thered flame iconrepresents critical alarms, and the number next to it is0, indicating no critical alarms. Theorange lightning iconrepresents major alarms, and the number displayed is5, indicating five major alarms. Theyellow exclamation mark iconrepresentswarning alarms, and the number next to it is1. Finally, theblue information iconrepresents informational alarms, with a total of10.

Warning alarms indicate potential issues that do not immediately affect network operation but may develop into more serious problems if not addressed. These alarms require administrator attention but are less urgent than critical or major alarms. Accurately identifying the number of warning alarms helps prioritize troubleshooting and maintenance tasks.

Since the yellow warning icon shows the number1, this means there isone warning alarmcurrently generated on the network. Therefore, the correct answer is1, corresponding to optionB.

In a CloudCampus VXLAN fabric,node role planningis a fundamental design task that directly affects scalability, performance, and manageability. Huawei defines clear roles for fabric nodes, includingedge nodes,border nodes, and optionallyroute reflectors (RRs).

Statements A, B, and C correctly describe recommended design practices. Core devices are commonly deployed asborder nodesbecause they have higher performance and are well suited to connect the VXLAN fabric to external networks such as WANs or data centers. Access or aggregation devices acting asedge nodesenable end-to-end VXLAN automation and allow user traffic to be encapsulated and decapsulated close to the access layer. Additionally, when external networks exist in different physical locations, deployingmultiple border nodesimproves reliability and optimizes traffic paths.

Statement D is incorrect. In a VXLAN network usingBGP EVPN with route reflectors,edge nodes do not need to establish BGP peer relationships with each other. Instead, edge nodes establish BGP EVPN peer relationshipsonly with the RR, which centrally reflects EVPN routes to other nodes. This design significantly reduces the number of BGP sessions and improves scalability in large networks. Border nodes may also peer with the RR, but full-mesh peering between edge nodes is not required.

Therefore, the false statement isD, making it the correct answer.

According to HCIP Datacom Campus Network architecture principles, campus networks can be classified from multiple dimensions to support scientific planning, design, and deployment. These classification methods help network designers select appropriate architectures, devices, and technologies based on actual service requirements.

Network scaleis a primary classification dimension. Campus networks are commonly divided into small, medium, and large-scale networks based on the number of users, terminals, access points, and network devices. This classification directly influences topology design, such as whether a simple two-layer architecture or a more scalable three-layer architecture is required.

Served objectsis another important classification method. Campus networks may serve office users, guests, teaching staff, students, production terminals, IoT devices, or video surveillance systems. Different served objects have different requirements for bandwidth, security, and access control, making this dimension critical for policy and service design.

Access moderefers to how users and devices connect to the campus network, including wired access, wireless access, or a hybrid of both. This classification impacts WLAN planning, authentication methods, and network access control strategies.

Service complexityreflects the types and number of services carried by the network. A campus network may provide basic data services or support complex services such as voice, video, cloud access, and industry applications. Higher service complexity requires more advanced network design and management capabilities.

Therefore, all listed options are valid classification methods for campus networks.

In HCIP Datacom Campus Network VXLAN architecture, VXLAN tunnels are classified based onhow the tunnel endpoints are created and maintained, which is referred to as the VXLAN tunnel creation mode. According to Huawei VXLAN design principles, there aretwo valid VXLAN tunnel types: static VXLAN tunnels and dynamic VXLAN tunnels.

Astatic VXLAN tunnelis manually configured by an administrator. In this mode, the source VTEP IP address, destination VTEP IP address, and related parameters are explicitly specified on devices. Static VXLAN tunnels are typically used in small-scale networks or test environments where the number of VTEPs is limited and network topology is simple. However, static configuration lacks scalability and flexibility, making it unsuitable for large campus fabrics.

Adynamic VXLAN tunnelis automatically created based on control-plane learning mechanisms, such asBGP EVPN. In this mode, VTEPs learn remote VTEP IP addresses dynamically through EVPN route advertisements (for example, Type 3 routes). When a remote VTEP becomes reachable at the underlay Layer 3 level, the VXLAN tunnel is automatically established without manual intervention. This mode is widely used in modern campus and data center networks due to its scalability and automation capabilities.

Options A and D are incorrect becausestatelessandstatefulare not official VXLAN tunnel creation classifications in Huawei’s VXLAN implementation. VXLAN itself is an encapsulation mechanism, and tunnel state is not categorized in this manner.

Therefore, the correct VXLAN tunnel types based on creation mode arestatic VXLAN tunnels and dynamic VXLAN tunnels.

Encapsulating Security Payload (ESP) is one of the core protocols of the IPsec framework and is widely used in Huawei campus and SD-WAN network solutions to provide secure data transmission. ESP operates directly over IP and is identified by a uniqueIP protocol number, which allows network devices to recognize and process ESP packets correctly.

According to HCIP Datacom Campus Network documentation and standard IP protocol definitions,ESP uses protocol number 50. ESP provides essential security services such as data confidentiality through encryption, data integrity verification, authentication, and anti-replay protection. It can operate in bothtransport modeandtunnel mode, making it suitable for scenarios such as site-to-site VPNs and remote access VPNs.

The other options listed are incorrect.Protocol number 47is used by GRE (Generic Routing Encapsulation), which is a tunneling protocol and does not provide encryption.Protocol number 51is assigned to AH (Authentication Header), another IPsec protocol that provides integrity and authentication but does not support encryption.Protocol number 102is not associated with ESP or commonly used IPsec-related protocols.

Correct identification of ESP traffic using protocol number 50 is critical for firewall configuration, security policy enforcement, and proper forwarding of encrypted traffic in campus and WAN environments. Therefore, the correct answer is50, which corresponds to optionB.

SNMP and NETCONF are both commonly used network management protocols in campus networks, but they differ significantly in architecture, capabilities, and configuration management mechanisms. According to HCIP Datacom Campus Network documentation,NETCONF is designed for modern, model-driven network management, while SNMP is mainly used for monitoring and simple management.

Option A is incorrect because although both protocols use a client/server model, their roles are different. In SNMP, the managed device operates as an SNMP agent (server), while the NMS acts as the client. In NETCONF, the network device functions as the NETCONF server, and the management system is the client, not the other way around.

Option B is also incorrect because SNMP manages data using MIBs, whereas NETCONF usesdata models, typically based on YANG, instead of MIBs.

Option D is incorrect because SNMP does not support multiple configuration databases. It mainly provides basic read and write operations and is not suitable for complex configuration management or rollback.

Option C is correct. NETCONF provides alocking mechanismthat allows a client to lock a configuration datastore during configuration changes. This prevents multiple users or systems from modifying the same configuration simultaneously, avoiding conflicts and ensuring configuration consistency. This capability is a key advantage of NETCONF in intelligent campus network management and aligns with HCIP Datacom Campus Network best practices.

In the Huawei CloudCampus Solution, the architecture is typically divided into themanagement layerand thenetwork layer. The management layer, represented by platforms such as iMaster NCE-Campus, is responsible for centralized configuration, monitoring, policy delivery, and intelligent O&M. Communication between these two layers relies on standardizedmanagement and control protocols.

NETCONFis a key protocol used between the management layer and network devices. It provides a structured and reliable mechanism for delivering configurations, querying device status, and performing automated service deployment. NETCONF works closely with data models to ensure consistency and accuracy in configuration management.

SNMPis also widely used in the CloudCampus Solution for monitoring and fault management. Through SNMP, network devices report performance data, alarms, and status information to the management platform, enabling real-time visibility and proactive maintenance.

YANGis not a transport protocol but a data modeling language; however, it plays a critical role in management-layer communication. YANG models define the structure of configuration and operational data exchanged between the controller and devices, typically carried over NETCONF. Therefore, YANG-related information is effectively exchanged between the management and network layers.

RADIUS, on the other hand, is used for user authentication, authorization, and accounting. It operates between network devices and authentication servers, not between the management layer and the network layer.

Thus, the correct options areNETCONF, SNMP, and YANG.

iMaster NCE-CampusInsight is anintelligent O&M analysis componentin Huawei’s CloudCampus Solution, designed to provide deep visibility, experience assurance, and fault diagnosis based onreal service traffic and user behavior. The statement is incorrect because CampusInsight doesnot rely on SNMP technologyto achieve its core capabilities.

According to HCIP Datacom Campus Network documentation, traditional SNMP is mainly used for basic device monitoring, such as interface status, CPU usage, memory usage, and simple alarms. SNMP focuses ondevice-level metricsand does not provide sufficient granularity to analyze application performance, user experience, or end-to-end service paths.

In contrast, iMaster NCE-CampusInsight usestelemetry, traffic sampling, flow analysis, and packet-level inspection technologiesto collect real-time and fine-grained data directly from network devices. These technologies allow CampusInsight to analyzeactual service traffic, identify application behavior, locate faults across the network path, and proactively detect network exceptions that affect user experience.

CampusInsight correlates data such as flow information, latency, packet loss, and service reachability to perform intelligent analysis and root cause identification. This enables capabilities like application experience assurance, abnormal traffic detection, and proactive fault prediction, which are beyond the scope of SNMP-based monitoring.

Therefore, because iMaster NCE-CampusInsight does not use SNMP as its primary data collection method and instead relies on advanced telemetry and traffic analysis technologies, the statement isFALSE.

In the Huawei CloudCampus Solution, access points can operate in different modes depending on network size, architecture, and management requirements. For asmall- or medium-sized campus networkwhere asingle AP is used as the network egressand must becentrally managed by iMaster NCE-Campus, the recommended operating mode isCloud mode.

When an AP works inCloud mode, it establishes a direct management connection with iMaster NCE-Campus through the cloud. The AP can independently provide wireless access services while also performing gateway and egress functions, such as user traffic forwarding and policy enforcement. This eliminates the need to deploy a dedicated wireless AC or additional gateway devices, significantly simplifying network architecture and reducing deployment cost.

Fit modeAPs rely on a local or centralized AC for control and therefore cannot independently function as a network egress.RU modeis used only in Agile Distributed Wi-Fi scenarios and depends on a central AP, making it unsuitable for this scenario.Fat modeAPs can operate independently but lack deep integration with iMaster NCE-Campus for cloud-based centralized management and automated service provisioning.

HCIP Datacom Campus Network documentation highlights Cloud APs as the optimal choice for small and medium campuses that require simplified deployment, cloud-based management, and integrated gateway capabilities. Therefore, to meet both the management and egress requirements described, the AP should operate inCloud mode.

Hence, the correct answer isC.

In Huawei campus networks, access authentication and authorization are implemented based on the AAA framework. After a user is successfully authenticated, the network enforces anauthorization result, which defines what network resources the user is allowed to access and how traffic is controlled. These authorization results are typically delivered by the authentication server or configured locally on network devices.

According to HCIP Datacom Campus Network documentation,authorization results focus on policy and access control attributes, not basic network parameter assignment. Common authorization items includeVLAN assignment,security group assignment, andACL application. VLANs determine the user’s logical network location, security groups enable group-based policy control, and ACLs restrict or permit traffic based on predefined rules. These elements directly affect access permissions and security enforcement.

AnIP address, however, does not need to be defined in the authorization result. In campus networks, IP addresses are usually assigned dynamically throughDHCP, either by a DHCP server or a DHCP relay function on network devices. The IP address allocation process is independent of user authorization and does not represent an access control policy.

Separating IP address assignment from authorization simplifies network design and improves scalability. It allows users to obtain IP addresses automatically while access rights are enforced consistently through identity-based policies. Therefore, among the given options,IP addressis not an item that must be defined in the authorization result.

Hence, the correct answer isB.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In Huawei campus authentication architecture, anauthentication profiledefines how users are authenticated and which domain is used during authentication. A key concept is theforcible domain, which has the highest priority during domain selection. If a forcible domain is configured, the device ignores any domain information carried in the user name and forcibly authenticates the user in the specified domain. Therefore, statementD is correct.

Statement A is incorrect because the default domaincan be modifiedusing CLI commands, allowing administrators to flexibly control user authentication behavior. Statement B is also incorrect; on the same interface, different authentication types (such as 802.1X, MAC authentication, and Portal)can be configured with different domains, depending on access control requirements.

Statement C is incorrect because the default authentication triggering sequence on Huawei devices is802.1X → MAC address authentication → Portal authentication, not the order described. This sequence ensures strong authentication is attempted first before falling back to weaker mechanisms.

According to HCIP Datacom Campus Network documentation, forcible domain configuration guarantees unified policy enforcement and simplifies authentication control, making option D the only correct statement.

Huawei’s free mobility solution is designed to provide consistent user access control and policy enforcement across the campus network, regardless of user location. According to HCIP Datacom Campus Network documentation, the solution is built around severalclearly defined core roles, each with specific responsibilities.

Theauthentication deviceis a core role. It performs user authentication using methods such as 802.1X, MAC authentication, or portal authentication, and associates user identity information with IP addresses or security groups.

Thepolicy enforcement deviceis also a core role. It enforces security and access control policies based on IP-security group information, ensuring that traffic complies with defined policies wherever the user is connected.

iMaster NCE-Campusis another core component of the free mobility solution. It acts as the centralized management and control platform, responsible for policy definition, IP-security group management, and coordination of information distribution between authentication points and policy enforcement points.

Thepolicy control device, however, isnot a core roleexplicitly defined in Huawei’s free mobility architecture. Policy control functions are integrated into iMaster NCE-Campus rather than implemented as a separate standalone device role. Therefore, “policy control device” is not recognized as a core role in the free mobility solution.

As a result, option B is the correct answer, while the other options represent essential components of Huawei’s free mobility solution as defined in HCIP Datacom Campus Network materials.